> > > > Note that ldap 'client' applications like ldapsearch > > use /etc/openldap/ldap.conf so I would suspect that the 'certificates' > > used by the 2 machines are different. >> This might be the missing piece. The certificates were generated from a signing request to CAcert. However, while the certificate is installed on the server machine it is not installed on the remote machine. I didn't think that was necessary especially given that the certificate was generated explicitly for example.mydomain.com. I can try this. I do know that the CAcert root certificate is not accepted by LDAP as coming from a valid certificate root authority. I manage to get around this by explicitly adding CAcert's root certificate to /etc/pki/tls/certs/ca-bundle.crt and adding that path to the /etc/openldap/ldap.conf config. I will try installing the certificate and then adding the path in /etc/openldap/ldap.conf. I probably should have shown the /etc/openldap/ldap.conf file. For the record here it is: HOST example.mydomain.com BASE dc=mydomain,dc=com URI ldaps://example.mydomain.com:636/ tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt TLS_CACERTDIR /etc/openldap/cacerts Have to go to work now so will try later. Thanks. > > > > add -d 256 (or even higher debug level) to the ldapsearch command for > > debugging - I'm not going to hazard any actual guesses. Thanks for this suggestion ... should have thought of it myself. -- Paul (ganci at nurdog.com)